feat: overhaul

kubernetes/apps/kube-system/cilium/app/configmap.yaml

@@ -1,18 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: bgp-config
-  namespace: kube-system
-data:
-  config.yaml: |
-    peers:
-      - peer-address: ${LOCAL_LAN_OPNSENSE}
-        peer-asn: 64512
-        my-asn: 64512
-    address-pools:
-      - name: default
-        protocol: bgp
-        addresses:
-          - ${CILIUM_BGP_SVC_RANGE}
-        avoid-buggy-ips: true

kubernetes/apps/kube-system/cilium/app/helm-values.yaml

@@ -0,0 +1,72 @@
+---
+autoDirectNodeRoutes: true
+bandwidthManager:
+  enabled: true
+bbr: true
+bgpControlPlane:
+  enabled: true
+cgroup:
+  automount:
+    enabled: false
+  hostRoot: /sys/fs/cgroup
+cluster:
+  id: 1
+  name: talos-cluster
+cni:
+  exclusive: false
+enableIPv4BIGTCP: true
+endpointRoutes:
+  enabled: true
+envoy:
+  enabled: false
+hubble:
+  enabled: false
+ipam:
+  mode: kubernetes
+ipv4NativeRoutingCIDR: 10.69.0.0/16
+k8sServiceHost: localhost
+k8sServicePort: 7445
+kubeProxyReplacement: true
+kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
+l2announcements:
+  enabled: true
+loadBalancer:
+  algorithm: maglev
+  mode: dsr
+localRedirectPolicy: true
+operator:
+  replicas: 2
+  rollOutPods: true
+  prometheus:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  dashboards:
+    enabled: true
+prometheus:
+  enabled: true
+  serviceMonitor:
+    enabled: true
+    trustCRDsExist: true
+dashboards:
+  enabled: true
+rollOutCiliumPods: true
+routingMode: native
+securityContext:
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE

kubernetes/apps/kube-system/cilium/app/helmrelease.yaml

@@ -3,8 +3,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: &app cilium
-  namespace: &ns kube-system
+  name:  cilium
 spec:
   interval: 30m
   chart:
@@ -26,89 +25,35 @@ spec:
       retries: 3
   uninstall:
     keepHistory: false
+  valuesFrom:
+    - kind: ConfigMap
+      name: cilium-helm-values
   values:
-    autoDirectNodeRoutes: true
-    bgp:
-      announce:
-        loadbalancerIP: true
-      enabled: true
-    cluster:
-      id: 1
-      name: cluster-0
-    enableRuntimeDeviceDetection: true
-    endpointRoutes:
-      enabled: true
     hubble:
       enabled: true
       metrics:
         enabled:
-          - dns:query;ignoreAAAA
+          - dns:query
           - drop
           - tcp
           - flow
           - port-distribution
           - icmp
           - http
+        serviceMonitor:
+          enabled: true
+        dashboards:
+          enabled: true
       relay:
         enabled: true
         rollOutPods: true
-      serviceMonitor:
-        enabled: true
+        prometheus:
+          serviceMonitor:
+            enabled: true
       ui:
         enabled: true
+        rollOutPods: true
         ingress:
           enabled: true
-          className: nginx
-          hosts:
-            - &host "cilium.${SECRET_EXTERNAL_DOMAIN}"
-          tls:
-            - hosts:
-                - *host
-        rollOutPods: true
-    ipam:
-      mode: kubernetes
-    ipv4NativeRoutingCIDR: ${CILIUM_POD_CIDR}
-    k8sServiceHost: localhost
-    k8sServicePort: 7445
-    kubeProxyReplacement: true
-    kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
-    l2announcements:
-      enabled: true
-    loadBalancer:
-      algorithm: maglev
-      mode: dsr
-    localRedirectPolicy: true
-    operator:
-      rollOutPods: true
-    rollOutCiliumPods: true
-    securityContext:
-      capabilities:
-        ciliumAgent:
-          - CHOWN
-          - KILL
-          - NET_ADMIN
-          - NET_RAW
-          - IPC_LOCK
-          - SYS_ADMIN
-          - SYS_RESOURCE
-          - DAC_OVERRIDE
-          - FOWNER
-          - SETGID
-          - SETUID
-        cleanCiliumState:
-          - NET_ADMIN
-          - SYS_ADMIN
-          - SYS_RESOURCE
-    cgroup:
-      autoMount:
-        enabled: false
-      hostRoot: /sys/fs/cgroup
-    l7proxy: true
-    routingMode: native
-    ingressController:
-      enabled: false
-      defaultSecretNamespace: networking
-      defaultSecretName: ${SECRET_EXTERNAL_DOMAIN//./-}-tls
-      loadbalancerMode: shared
-      service:
-        loadBalancerIP: 192.168.169.115
+          className: internal
+          hosts: ["hubble.${SECRET_EXTERNAL_DOMAIN}"]

kubernetes/apps/kube-system/cilium/app/kustomization.yaml

@@ -2,7 +2,11 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
 resources:
-  - ./configmap.yaml
   - ./helmrelease.yaml
+configMapGenerator:
+  - name: cilium-helm-values
+    files:
+      - values.yaml=./helm-values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/apps/kube-system/cilium/config/bgp-policy.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeeringPolicy
+metadata:
+  name: bgp-loadbalancer-ip-main
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/os: "linux"
+  virtualRouters:
+    - localASN: 64512
+      exportPodCIDR: false
+      serviceSelector:
+        matchExpressions:
+          - key: thisFakeSelector
+            operator: NotIn
+            values:
+              - will-match-and-announce-all-services
+      neighbors:
+        - peerAddress: ${LOCAL_LAN_OPNSENSE}/24
+          peerASN: 64512

kubernetes/apps/kube-system/cilium/config/bgp-pool.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: main-pool
+spec:
+  blocks:
+    - cidr: ${CILIUM_BGP_SVC_RANGE}

kubernetes/apps/kube-system/cilium/config/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./bgp-policy.yaml
+  - ./bgp-pool.yaml

kubernetes/apps/kube-system/cilium/ks.yaml

@@ -1,15 +1,12 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
-  name: &app cilium
+  name: &app cilium-app
   namespace: flux-system
 spec:
   targetNamespace: kube-system
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
   path: ./kubernetes/apps/kube-system/cilium/app
   prune: false
   sourceRef:
@@ -19,6 +16,23 @@ spec:
   interval: 30m
   retryInterval: 1m
   timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app cilium-config
+  namespace: flux-system
+spec:
+  targetNamespace: kube-system
+  dependsOn:
+    - name: cilium-app
+  path: ./kubernetes/apps/kube-system/cilium/config
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/apps/kube-system/coredns/app/helm-values.yaml

@@ -0,0 +1,51 @@
+---
+fullnameOverride: coredns
+replicaCount: 2
+k8sAppLabelOverride: kube-dns
+serviceAccount:
+  create: true
+service:
+  name: kube-dns
+  clusterIP: 10.96.0.10
+servers:
+  - zones:
+      - zone: .
+        scheme: dns://
+        use_tcp: true
+    port: 53
+    plugins:
+      - name: errors
+      - name: health
+        configBlock: |-
+          lameduck 5s
+      - name: ready
+      - name: log
+        configBlock: |-
+          class error
+      - name: prometheus
+        parameters: 0.0.0.0:9153
+      - name: kubernetes
+        parameters: cluster.local in-addr.arpa ip6.arpa
+        configBlock: |-
+          pods insecure
+          fallthrough in-addr.arpa ip6.arpa
+      - name: forward
+        parameters: . /etc/resolv.conf
+      - name: cache
+        parameters: 30
+      - name: loop
+      - name: reload
+      - name: loadbalance
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+        - matchExpressions:
+            - key: node-role.kubernetes.io/control-plane
+              operator: Exists
+tolerations:
+  - key: CriticalAddonsOnly
+    operator: Exists
+  - key: node-role.kubernetes.io/control-plane
+    operator: Exists
+    effect: NoSchedule

kubernetes/apps/kube-system/coredns/app/helmrelease.yaml

@@ -0,0 +1,27 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: coredns
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: coredns
+      version: 1.37.0
+      sourceRef:
+        kind: HelmRepository
+        name: coredns
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  valuesFrom:
+    - kind: ConfigMap
+      name: coredns-helm-values

kubernetes/apps/kube-system/coredns/app/kustomization.yaml

@@ -2,6 +2,11 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
 resources:
   - ./helmrelease.yaml
+configMapGenerator:
+  - name: coredns-helm-values
+    files:
+      - values.yaml=./helm-values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/apps/kube-system/coredns/ks.yaml

@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app coredns
+  namespace: flux-system
+spec:
+  targetNamespace: kube-system
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/kube-system/coredns/app
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app

kubernetes/apps/kube-system/descheduler/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/apps/kube-system/external-secrets/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -23,7 +23,7 @@ spec:
     substitute:
       APP: *app
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml

@@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: &app onepassword-connect
-  namespace: kube-system
 spec:
   interval: 30m
   chart:
@@ -44,7 +43,7 @@ spec:
               tag: 1.7.2@sha256:da8cb369fb841a7bd9447c909d273de4053ecc9c2b2e6432c5af6c2e08b82da1
             env:
               OP_BUS_PORT: "11220"
-              OP_BUS_PEERS: "localhost:11221"
+              OP_BUS_PEERS: localhost:11221
               OP_HTTP_PORT: &port 8080
               OP_SESSION:
                 valueFrom:
@@ -86,7 +85,7 @@ spec:
             env:
               - { name: OP_HTTP_PORT, value: &sport 8081 }
               - { name: OP_BUS_PORT, value: "11221" }
-              - { name: OP_BUS_PEERS, value: "localhost:11220" }
+              - { name: OP_BUS_PEERS, value: localhost:11220 }
               - name: OP_SESSION
                 valueFrom:
                   secretKeyRef:
@@ -120,7 +119,7 @@ spec:
     ingress:
       app:
         enabled: true
-        className: nginx
+        className: internal
         annotations:
           hajimari.io/enable: "false"
         hosts:

kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml

@@ -2,7 +2,6 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
 resources:
   - ./clustersecretstore.yaml
   - ./helmrelease.yaml

kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml

@@ -3,11 +3,10 @@ apiVersion: v1
 kind: Secret
 metadata:
     name: onepassword-connect-secret
-    namespace: kube-system
 type: Opaque
 stringData:
     onepassword-credentials.json: ENC[AES256_GCM,data:vVOz94aHx8jMRGQNw1a0Sio0HI7AVNT9r0nkdaRyRop/20e4lvNU+PyfnlskTdya0Ty62mZNH78Uj2+vXIgh8z5ROzulLx61MKdKSEfQqwwnbZ5mPIgZT6QHTtG/pXHj2IUGW7m0v173avxtpq0PPr5sum9Eg1QNnTSqgSwmmD3D0Q0lY0mxbYA7x5ERd6354nTqV+93f2RHNZ0JIYG72L3xMn+TdaO4TfgmZRSjXsRGCOhfISdEg69d4/NHMAQOSkDT6eoAlbIco5Tel7n4BxGi8Je+EH4J/HdzeHNtQliJuAwXXsrYWS2qaJxoBXTPuBeuVZYohoRUcF2qH8uHYINDR7mrHiByCvtxxKXs33hLTbAHUhCnMUJ4hLqyWZ/tnH5w/EdsSlsMpPVEyBc6xOZZrmL40M4b4M+O++Hoah0Bv2zw3K9JR5EwP6fezuNq0YP6hb9nds9UfZ6RsIAsOKWDt7MaO/cLMRU/0eqCgKX4tnJUM3+t+ns/p27iKGyn4DFtj3HA7wPYmuPfTDhFmA0exG3PaSsV6ITVzbrScqtPyEU8QyWdk5IAUPccZlyWTRr7CKYXtXzbUeYCGmNNsa3VuVKMRoAXTpgT6+ww0h+BVkquednurlgtUNX+nPA7vzIzPuHoQUWZbDL/kGq1rEPHF3MGwkNjLyRvMbh412n5916eNQ+r+0ZN8SZ2SoWN4IRAfa99gXlcBmZ04zPvDIhKJtFwrLgtfnqiqi2FAcILZhNFBv2uxcEFlZ1iKDdJTmue/JPuG4L3hqMcVRuKWSjJSsdYBs4GY4YLy4u+vOeh1hqIzW8zHonh7ukOA/5UfUx/O8OQ+cXY/4bZQgBuLUXaGzT/CLsrdoWW2/Ks7tvcAgJBXxXWHk0PWjLo+OQYbmM5aIjHAJY3uGiq4rjKQbAtaJUUu5dzMDnGdOnh86TJet4bSt6jF6ainaNjYNc4MaJX5zVC7mj78iBvzFa7BfzSzp47hPo3w5OS3/XvJQ1ch15DmDpu2t7MEqxE0KL8qxM0IbcDdC5nVUEBsxqTNndBlwl2a6rPSoukCwf3VBQ5dzbTisxaHyWz5XFbxWhYCtaofrN0opxBH2Abh1oUu6bFFIOsD2iXgtL+GcD+w0LjpTqP54TXRXNXK/IEwNhxuCYQ2skCzBEwQIMd370GF8tGy4jo9ttH3KYR50C6Ugw5ZQc9PcbOEisMSdvOvXl99CDHCbpXdv2nnDSWZ1XZVeiPdymBClMAXzOigaWD/p8YjM8PXOW6Ik7pM4/nIhtzrBaZCehrzntnjevfxAOBgviu4FKWBO4JognerlP/MAjL49P3EDYoy0karHMlCL+UZu2FHkoixM40gG5bQx2bMGUZ9nkzYM1nJz4i2PDQMQi7Mxi0wRi4WOFsRgl9c7gH1Ws6c+Z0O3Uul4pN7NCLtd5hqmYtqUeXIa/egaR9Buv5gmkGnF5+kPu5g5x04yc2UUIGpsD/V05B8jIp3DmMmQSO4Sa3+8c6F4n91QCe74U7Q3zlN59PFYc/Cx9kal80vphAwJ/lRfvlws1OXPtOUKe7iy0VcjJblNAtZwJTpdYE/tJtCBteeIfah9/wPBKSqrzJ4kXz8DldPiCUmWyVcWqjakZT5kYqlgxlk6Nt8/Pu1Tgwpgkl4vzlRhyvuRLfq7jkb78iR0yhPJBT/gBO+RRG/NRZTeYYzGMr/ZRVsOUfPzjnhsTfZTZO5g5SIUT0oCmTnkN440tSGXtW61d/PNSJKH2Wutt6lV+cGkTuHmgRatmh7to0YohrfJcLq19IygUh3QckK0tLCo/DTRjbE7NH1UkqzvDew0NNY+GsrhHMA4wBixQ2UFr6D7Hqx5mkIn/UXTJyXbuLrTHnZ8XfDCZ9HHm5c4nP85vXHxP0f81P6aN4OPArLRKpiGhDdhmCDOFE0kDsjjN5JsXg,iv:6yAbNoRVVpX+IQjCbktN/ukB8a+bhOOAEd45rxgaJYQ=,tag:S3Mi7dKSyxW/OAzkE2GWtA==,type:str]
-    token: ENC[AES256_GCM,data:oXhsBpqi1+y+gfKi55aXM27f3fTYlBL183r/IfaCDQKdDk5myyk+WZduJWjvjkQm4zjQFDG+DNVqViJVAzzctAfER5rlU9z76YxWTHoc6CGZd9o+hJkhsnDmdie6taTLvq/9FcQVcez6DYjLniuLenjN808ELWo1gt1CN04f8Ih+jGYHmlxUT/uigambjTELCFRWcZwZvH6y2SMNtmQT0tbqdi2JmdtW7Rh04BKkPDjH3Bw7iNYdFyqfk95gbkhw+JLDyOKp5G5luEQSpyxU2E5cI5It1tD6zAsE874TxvDj2Hea6dK5GAaMGoMygCbQwuCxlmmHbYkq6dGj9twAAVOUgocv4L7COrRxaCUu6zcNc4U7xrYkEMS57+eFFUkOGkVhcJ6kHgnVtadbW/VlUEqhukoylNWDkvAXKr4W5qzs1yxdxiH0xa+0c0/Eq7nIWsRNDBtwgnEuk2x7vVtgAFC82VS7CfGQ5x7EObjV9V0iaFgXmXfKKnDw38Thjy85YgBgVm0sK7uutpCwfC2nihLXxVBWqcLlXI+JP1s3bNXmZLEokvELX8P4Z6cXXIFYT9ctgn3RsAJBXGt5S0THyQKQbSmA2Xp8gruuzjNKKzdBZtAd6V/PFf0auWQoYdBMOu5f7TKJqyAvb8weL/8jpdHxGCpJg+iTAHUFGmBMj67KtPWZFAoM519K6i3lg+rOjH7FHNTK1FM0gCWtZO0ogp+qvS3nNTF2cFsSNfRjWoJmRmTnPrIV0FPY5cQ145/8/8feiMx2PrzECWYByi3t3JHUTd+RIC4Yj3w0SOvdMtndSEMeWZj6/YvoInOAC842D6J4GLJ4Q9ybHiXBm3eayRE4,iv:0/kEup5L+qJfmC7NOU8KaCpceHa6DvQp3KHGqHHfZKE=,tag:eGMIbzowAm8lsU/7q7TmjA==,type:str]
+    token: ENC[AES256_GCM,data:7yDxo39qbHCTQ2MzZvmRTGTptGlR0Nm0yUJP7pA9lVy3M4w59WY1/47Q0aKxD3tDhs4R549z1cXTfntF8FZe1/YoQr7D15IOx5sa+Ei0OCpzsKLb3ngk8sxxiRbmgo2H2fAkuiEe8lsqHEN7pUrdTMjOX//tsem3bH4XZUJwUdlU6LPrwj6JP7oUKbM+qmJ+1YXcOUhumwork5qWyGC1TrFAKsD2XXqZknkw/qNDcr9Y39ph10hBTT4WRYsrmXLMqKsU0wuD7mfaRHI5ZJmGCsXqXTFavlYHadG0X8gQ/RK4l3sKxxc6Z7w05In8PwSeQOcy09rqZj9rUqCa4x046l7SmW2Ns+gGdDopaJQIRW7uuw0a4kMtnE6FCIuZyz4CqnlUyN2odO7H074tyjQjByFmHiG0udy0+LrfXvXkGV5Rz3qVE1byV84UnbCGYavJDvAq4oDiWq8SRgrLS+VVZeDD11IGx28rKpn465nh1+HmcV8hrHBPD3KkTJCCOg21F+zEnbItsqoICWGcEWVxdtTujfP6yh6RcfuBZPZiAq7oe2tl8fJiLKb1jDHbRWWb/1ailkd9OiamSQosu2bAY7SUNFqI7R8SLByqqImBTcnNQ02ZTJKoYh8GMg87l1ZQe6bYd5AallRNT7YclJFtiH8OzVYK6Kgn7cYBgJQmWbLnLK2ido1jos8gZ8Ti1Uu2pWRw6bnK8ZH/vti6jGnYP8ot2iMT/bOUxDP5hmovuHRrv/J5qjfOXsBRrpHfMEtmF5gaQtgdwXuf2LVvr90lOw+zwz7JWtzXs14QhEnmKtDQMBYO0Ro6HSLS2O3oNEfwlPJdbpU4YJf7wQyTg0/iU3LEdg==,iv:PHJ1zL9f+Ucy+lJN95ILTyXbqOKQecV0sC/env0qk3U=,tag:jkAeCrzx0GWatr9ZFE+/dw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +22,8 @@ sops:
             OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
             LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-07T23:26:27Z"
-    mac: ENC[AES256_GCM,data:2FbAt4qdwgE3UkxYxtSluGN8iXMW5aEAxqzzcHfetifh/gtm4x9qMn6JVv4TUoBcCYzWLD+X7dyOBiSi5uWGSbL0owEB5tXj0dQW7aCNjC3hH+Y34i/+C2AYfq/hhiAV1iwyXNSu2iSKZMDbbQNkoAii/ZLsxFuBrBclACAHFWM=,iv:FRjfKHprJXFsbku4cQtZmm74ZbHsh8aqno+aRssjImM=,tag:Sh5zKXVDzl/ukpFK5lloXw==,type:str]
+    lastmodified: "2025-01-05T12:25:23Z"
+    mac: ENC[AES256_GCM,data:3KguzE81b3dKWytHq52X866gJB2sHvGQYvFs0Rq6wlCLSwhIX/BVUvvuCWLZstBGyTb60HYUWqiu2isHqN4mzRiqHnKRh3qw3bzkNwbLaGa0ITxV5FrDFdrvaWD7PTPGSHTBtFRc9n3vZqDNk54chkx/8jdNKf9blybgnBPqIVM=,iv:xJx7QfBv1Tkz25S050pDgwZ/U/FAvEyL+kkdDif+BJU=,tag:lXR/EsV+/uDJiTb/ZwaycA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
-    version: 3.9.0
+    version: 3.9.3

kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml

@@ -0,0 +1,72 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app fstrim
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.6.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      fstrim:
+        type: cronjob
+        cronjob:
+          schedule: 0 0 * * 0
+          parallelism: 4 # Set to total number of nodes
+          successfulJobsHistory: 1
+          failedJobsHistory: 1
+        containers:
+          app:
+            image:
+              repository: ghcr.io/onedr0p/kubanetics
+              tag: 2024.12.4@sha256:4941a46bd7c05ce1de1f0f2e98137db44cf116312b33d9c7d0e3619679250bd4
+            env:
+              SCRIPT_NAME: fstrim.sh
+            resources:
+              requests:
+                cpu: 25m
+              limits:
+                memory: 128Mi
+            securityContext:
+              privileged: true
+    defaultPodOptions:
+      hostNetwork: true
+      hostPID: true
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+    persistence:
+      procfs:
+        type: hostPath
+        hostPath: /proc
+        hostPathType: Directory
+        globalMounts:
+          - path: /host/proc
+            readOnly: true
+      netfs:
+        type: hostPath
+        hostPath: /sys
+        hostPathType: Directory
+        globalMounts:
+          - path: /host/net
+            readOnly: true

kubernetes/apps/kube-system/fstrim/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml

kubernetes/apps/kube-system/fstrim/ks.yaml

@@ -0,0 +1,24 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app fstrim
+  namespace: flux-system
+spec:
+  targetNamespace: kube-system
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/kube-system/fstrim/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app

kubernetes/apps/kube-system/intel-device-plugin/exporter/helmrelease.yaml

@@ -1,70 +0,0 @@
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: &app intel-gpu-exporter
-  namespace: kube-system
-spec:
-  interval: 30m
-  chart:
-    spec:
-      chart: app-template
-      version: 3.6.0
-      sourceRef:
-        kind: HelmRepository
-        name: bjw-s
-        namespace: flux-system
-  maxHistory: 2
-  install:
-    createNamespace: true
-    remediation:
-      retries: 3
-  upgrade:
-    cleanupOnFail: true
-    remediation:
-      strategy: rollback
-      retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    defaultPodOptions:
-      nodeSelector:
-        intel.feature.node.kubernetes.io/gpu: "true"
-    controllers:
-      intel-gpu-exporter:
-        type: daemonset
-        containers:
-          app:
-            image:
-              repository: ghcr.io/onedr0p/intel-gpu-exporter
-              tag: rolling@sha256:5782b746f507149e7c3d5f7b19fe8d834fda854f117afcbdd21ecf822ef1ee02
-            resources:
-              requests:
-                gpu.intel.com/i915_monitoring: 1
-                cpu: 100m
-                memory: 100Mi
-              limits:
-                gpu.intel.com/i915_monitoring: 1
-                memory: 500Mi
-            securityContext:
-              privileged: true
-    service:
-      app:
-        controller: *app
-        ports:
-          http:
-            port: 8080
-    serviceMonitor:
-      app:
-        serviceName: app
-        enabled: true
-        endpoints:
-          - port: http
-            scheme: http
-            path: /metrics
-            interval: 1m
-            scrapeTimeout: 10s
-            relabelings:
-              - sourceLabels: [__meta_kubernetes_pod_node_name]
-                targetLabel: node

kubernetes/apps/kube-system/intel-device-plugin/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -23,7 +23,7 @@ spec:
     substitute:
       APP: *app
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -46,27 +46,3 @@ spec:
   postBuild:
     substitute:
       APP: *app
----
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
-  name: &app intel-device-plugin-exporter
-  namespace: flux-system
-spec:
-  targetNamespace: kube-system
-  commonMetadata:
-    labels:
-      app.kubernetes.io/name: *app
-  path: ./kubernetes/apps/kube-system/intel-device-plugin/exporter
-  prune: true
-  sourceRef:
-    kind: GitRepository
-    name: home-ops-kubernetes
-  wait: false
-  interval: 30m
-  retryInterval: 1m
-  timeout: 5m
-  postBuild:
-    substitute:
-      APP: *app

kubernetes/apps/kube-system/k8s-ycl/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml

@@ -0,0 +1,8 @@
+---
+replicas: 1
+providerRegex: ^talos-\d$
+bypassDnsResolution: true
+metrics:
+  enable: true
+  serviceMonitor:
+    enabled: true

kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml

@@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: kubelet-csr-approver
-  namespace: kube-system
 spec:
   interval: 30m
   chart:
@@ -15,18 +14,14 @@ spec:
         kind: HelmRepository
         name: postfinance
         namespace: flux-system
-  maxHistory: 2
   install:
-    createNamespace: true
     remediation:
       retries: 3
   upgrade:
     cleanupOnFail: true
     remediation:
+      strategy: rollback
       retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    providerRegex: ^talos-node-[1-9]$
-    namespace: kube-system
-    bypassDnsResolution: true
+  valuesFrom:
+    - kind: ConfigMap
+      name: kubelet-csr-approver-helm-values

kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml

@@ -2,6 +2,11 @@
 # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: kube-system
 resources:
   - ./helmrelease.yaml
+configMapGenerator:
+  - name: kubelet-csr-approver-helm-values
+    files:
+      - values.yaml=./helm-values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/apps/kube-system/kustomization.yaml

@@ -7,10 +7,12 @@ resources:
   - ./namespace.yaml
   # Flux-Kustomizations
   - ./cilium/ks.yaml
+  - ./coredns/ks.yaml
   - ./descheduler/ks.yaml
   - ./external-secrets/ks.yaml
+  - ./fstrim/ks.yaml
   - ./intel-device-plugin/ks.yaml
-  - ./k8s-ycl/ks.yaml
+  # - ./k8s-ycl/ks.yaml
   - ./kubelet-csr-approver/ks.yaml
   - ./metrics-server/ks.yaml
   - ./node-feature-discovery/ks.yaml

kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml

@@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: metrics-server
-  namespace: kube-system
 spec:
   interval: 30m
   chart:
@@ -15,23 +14,21 @@ spec:
         kind: HelmRepository
         name: metrics-server
         namespace: flux-system
-  maxHistory: 2
   install:
-    createNamespace: true
     remediation:
       retries: 3
   upgrade:
     cleanupOnFail: true
     remediation:
+      strategy: rollback
       retries: 3
-  uninstall:
-    keepHistory: false
   values:
     args:
       - --kubelet-insecure-tls
       - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
       - --kubelet-use-node-status-port
-      - --metric-resolution=15s
+      - --metric-resolution=10s
+      - --kubelet-request-timeout=2s
     metrics:
       enabled: true
     serviceMonitor:

kubernetes/apps/kube-system/metrics-server/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/apps/kube-system/namespace.yaml

@@ -14,7 +14,7 @@ metadata:
   namespace: kube-system
 spec:
   type: alertmanager
-  address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/
+  address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/
 ---
 # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
 apiVersion: notification.toolkit.fluxcd.io/v1beta3

kubernetes/apps/kube-system/node-feature-discovery/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
@@ -23,7 +23,7 @@ spec:
     substitute:
       APP: *app
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/apps/kube-system/reloader/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/apps/kube-system/snapshot-controller/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:

kubernetes/apps/kube-system/spegel/app/helm-values.yaml

@@ -0,0 +1,12 @@
+---
+spegel:
+  appendMirrors: true
+  containerdSock: /run/containerd/containerd.sock
+  containerdRegistryConfigPath: /etc/cri/conf.d/hosts
+service:
+  registry:
+    hostPort: 29999
+serviceMonitor:
+  enabled: true
+grafanaDashboard:
+  enabled: true

kubernetes/apps/kube-system/spegel/app/helmrelease.yaml

@@ -3,38 +3,25 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: &name spegel
-  namespace: kube-system
+  name: spegel
 spec:
   interval: 30m
   chart:
     spec:
-      chart: *name
+      chart: spegel
       version: v0.0.28
       sourceRef:
         kind: HelmRepository
         name: spegel
         namespace: flux-system
-  maxHistory: 2
   install:
-    createNamespace: true
     remediation:
       retries: 3
   upgrade:
     cleanupOnFail: true
     remediation:
+      strategy: rollback
       retries: 3
-  uninstall:
-    keepHistory: false
-  values:
-    spegel:
-      appendMirrors: true
-      containerdSock: /run/containerd/containerd.sock
-      containerdRegistryConfigPath: /etc/cri/conf.d/hosts
-    service:
-      registry:
-        hostPort: 29999
-    grafanaDashboard:
-      enabled: true
-    serviceMonitor:
-      enabled: true
+  valuesFrom:
+    - kind: ConfigMap
+      name: spegel-helm-values

kubernetes/apps/kube-system/spegel/app/kustomization.yaml

@@ -4,3 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./helmrelease.yaml
+configMapGenerator:
+  - name: spegel-helm-values
+    files:
+      - values.yaml=./helm-values.yaml
+configurations:
+  - kustomizeconfig.yaml

kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/apps/kube-system/spegel/ks.yaml

@@ -1,5 +1,5 @@
 ---
-# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata: